What is it?
- It is an update to the 1998 Data Protection Act (DPA) which unifies Data Protection across the European Union (EU) – in force from 25/05/2018
- GDPR applies to both paper based and computerised records
Why is it being updated?
- Current legislation needs updating
- Information as become a commodity and can sell for a very high price. Cybercrime is growing and has identified weaknesses in how and why data is stored.
Step 1 – Awareness
- You should make sure that all decision makers and key people in your organisation/business are aware that the law is changing.
- Understand & Appreciate the impact this is likely to have.
- Train staff on Data Protection Awareness.
Step 2 – Check the information you hold
- You need to document the information you hold
- Why you need this information
- Where this information came from
- Who do you share it with?
- If you’re not sure on any of the above organise an information audit
Step 3 – Community privacy information
- Review your current policy
- If you haven’t got one, get one
- Country wide is a good example
Step 4 – Individuals Rights
- The rights of individuals are enhanced under the GDPR
- How and why have you collected their data?
- Is your holding appropriate?
- New ‘forgot me’ clause
Step 5 – Subject access request
- A subject access required is when an individual/organisation want to know what data you hold on them
- Make sure your procedures allow for this (you should already have this)
- Must be responded to within 72 hours
- Fine for non-competence
Step 6 – Lawful basis for processing personal data
- What do you use the data for?
- Ensure you are using the data in a legal manner
- Update your privacy notice to make this known
Step 7 – consent
- What constitutes consent? (in terms of GDPR)
- Clarity is no misunderstanding
- Active opt in – no auto filling in of forms – tick boxes
- Granular – different consent to different areas – vulnerable people
- Named – who are you giving consent to?
- Documented – detail what you are consenting to
- Easy to withdraw – allow consent to be withdrawn at anytime
- No imbalance in the relationship – this is the tricky one
Step 8 – Children
- Where children and vulnerable persons are involved, this is a large area of rivacy rules that need to be adhered to
- See ico.org.uk for more guidance
- Social media is a key are of weakness and it is up to the parent or guardian to ensure that minors etc are all protected
Step 9 – Data breaches
- Ensure all your systems are protected against virus attack
- Encrypt data sources where possible (this is a recommendation under GPDR)
- Encrypt portable data systems e.g. hard drives, USB sticks & mobile phones
- Use Z key authentication when logging in
- Follow data safety rules or risk fines for noncompliance
Step 10 – Data Protection by design and data protection impact assessments. (PIA’s)
- Familiarise yourself with the ICO code of practice on privacy impact assessments
- Your system needs to ensure that data privacy is preserved at all times
- Implement design of the process into any system you currently have, or are intending to change
Step 11 – Data Protection Officer (DPO’s)
- This is the person responsible for seeing GDPR is carried out
- If you have a small company, you will need to do this yourself
- If you have a large company, you will have to support a person
- There must be a backup DPO in event of sickness or holiday
Step 12 – International
- If your business or organisation operates in more than an EU state, you need to determine your lead data protection authority
- If this applies to your organisation, you should mop out where your organisation makes its most significant decisions about its processing activities. This will help to determine your ‘main establishment’ and therefore your lead supervising authority.
What happens if my business is not compliant?
Tier 1
- Data breach or non-consenting
- Up to 20 million euros
or
- 4% of global turnover
(Whichever is greater)
Tier 2
- Data breach or non-consenting
- Up to 10 million euros
or
- 2% of global turnover
(Whichever is greater)
More information on GDPR can be found at www.ico.org.uk